Oracle has updated Java with Java SE Development Kit 6, Update 44 (JDK 6u33) providing 14 security fixes, 12 of which can be remotely exploitable without authentication. Of particular note with the Oracle June Java update is the fact that Apple is also updating Java at the same time.
Apple has typically followed Oracle updates by several weeks. It’s a situation that left Apple Mac OSX users at risk as known vulnerabilities were exploited by attackers. The Flashback malwarethat infected millions of Macs in April was directly attributable to Apple’s delay in releasing a Java update to Mac OS X users.
The rapid Java update from Apple is being welcomed by security experts.
“I was quite surprised to see the update from Apple timed in conjunction with Oracle,” Wolfgang Kandek, CTO of Qualys told eSecurity Planet. “In hindsight, it makes a lot of sense and I am happy that Apple has accelerated its release schedule so much. It seems that Apple has become more attentive to security issues.”
Sophos security researcher Chester Wisniewski told eSecurity Planetthat he too was happily surprised by Apple being so prompt.
“I suppose it is a little of the old ‘Fool me once, shame on you; fool me twice, shame on me,'” Wisniewski said.
Apple did not respond to a request for comment from eSecurity Planetby press time.
Apple has long issued their own Java updates for Mac OS X instead of relying on Oracle and its predecessor Sun. It’s a situation that is set to change this year as part of the realization of a multi-year initiative. In November of 2010, Apple announcedthat they would be giving the components for their implementation of Java on OS X to the Oracle-led OpenJDK project. The OpenJDK-based Mac OSX Java updates will begin this year with a Java SE 7 release. Currently, the Mac OSX as well as Windows and Linux users primarily use Java SE 6.
The Time to Update Java is Now
The importance of updating Java immediately — regardless of whether you are using Windows, Mac OS X, or Linux — cannot be overstated.
“Many of the vulnerabilities fixed in the latest Java are remote code execution, so they are very important,” Wisniewski said. “Not any one stands out, but they will likely be exploited if they are not already in the wild.”
Over the last several years, Java has been one of the most exploited technologies and not just on Mac OS X. In 2011, studies from Cisco and Qualysboth independently identified Java as the most vulnerable browser plug-in.
It’s a fact that still rings true in 2012. Kandek said that Java continues to be the leading plugin in the “outdated” category, according to Qualys’ data.
“Our latest data shows that about 24 percent of all Java plugins are outdated,” Kandek said. “I believe once you are on an old plugin that does not autoupdate it is very difficult to get away from that old version.”
One of the ways that users can check for and be directed to updated out of date Java installs is with the free BrowserCheck tool from Qualys. Mozilla also has a free cross-browser toolthat can easily identify out of date Java plug-ins.
The latest Java updatesare currently freely downloadable from Oracle.